Blog

As technology advances from the ground breaking to the almost innocuous, every-day and even primitive, its multiple variations settle to a standard whether organically or through formal discussion. Standardisation forms an essential part in a technology’s adoption curve and Blockchain/Distributed Ledger Technology (DLT) are no exceptions. One of the key people sounding the klaxon for blockchain standardisation sat down with the team to explain why we should be thinking standards.

With a 20 year history in Cyber Security, Gilbert Verdian has held several C-level roles across many respected organisations and public institutions such as Vocalink, NSW Health, HM Treasury and the Federal Reserve. Gilbert was also recently awarded the much sought after title of CISO of the Year in June. We asked Gilbert how it was that he first came across blockchain and why he thought it was the right time to talk standards. Gilbert told us of how he had provided the first spark of conversation within the corridors of Westminster while at HM Treasury, when he spurred senior officials to assess and consider bitcoin, and its impact to the UK, back in 2008. It wasn’t until 2014, during his work at the Australian Government’s Department of Health, that he was able to work on building blockchain solutions. In this instance it was a solution to solve longstanding issues with health record interoperability and security. This activity ultimately resulted in a wider discussion about compliance and standards. Campaigning initially for better understanding from government and regulators, Gilbert could see beyond the initial use case of secure data sharing in health IT to a cross-industry, multi-functional application of blockchain.

Despite initial resistance, Gilbert envisioned the scope of change blockchain was to bring, stating ‘I see a potential similar to that of the internet in the early 90s. We’re at the cusp of something big, blockchain can change a lot of how the internet operates and a lot of how processes operate, we just don’t know what we can do yet’. The most valuable step was then standardising a vision of blockchain and ensuring that everyone was on the same page so that the latent benefits can be brought to the forefront [too poetic]. This was done by authoring the ISO proposal to Standardise Blockchain and then establish a technical committee. The proposal was approved in October 2016 and the ISO/TC307 committee quickly grew from five to eight to now over thirty-five countries and bodies such as the European Commission. From Gilbert’s perspective, there was a clear and immediate sense of momentum and enthusiasm, the likes of which was unknown to the standards community.

We were interested in understanding a bit more about how the ISO committee was broaching such a nascent and fast evolving subject as blockchain. Gilbert explained that the first and current step was to divide the work. Initially splitting off into several working groups covering the following themes: reference architecture; taxonomy and ontology; use cases; security and privacy; identity; and smart contracts, we understood that two more working groups would soon be established including governance and interoperability. It is from the amalgamated work of these groups that we can expect initial guidance for a blockchain standard.

With a better understanding of how blockchain standards are being developed, we wanted to learn a bit more about the motivations directing this movement. 20 years of experience in cyber security had taught Gilbert a lot about the dangers of technology lock-in and he could already see tell-tale signs of this developing in blockchain. Gilbert added that ’by having standards it gives us that option to move between technologies and during implementation, clients can align to standards which makes it easier to implement with confidence in continued compliance.’

Returning to his experience in the public sector, we discussed the various regulatory responses to blockchain. In the UK, the FCA and the Bank of England appear to have really engaged with the subject of blockchain. Gilbert informed us the Bank of England has included the capability to interface to blockchain elements into the Real Time Gross Settlement (RTGS) Blueprint. Importantly, these blockchain elements would eventually be based on ISO standards when the Standard is complete. Though the UK, and certainly Australia have, in their own way, been pioneering in their engagement with DLT, Gilbert believed that the EU Commission and European Central Bank, who have a reputation for being early movers on issues of technology, were quite far ahead in their engagement. Discussing our thoughts for the future of blockchain, it became clear that welcomed experimentation must be followed by a settlement of standards before we could possibly expect wider adoption of blockchain. This being said, it would not be long until industry could expect these standards to develop, with much progress already having been made.

A: Blockchain has been in the experimental stage for the past two years. 2017 is becoming the inflection point when people stopped experimenting with blockchain and started to implement and test it in real world use cases. Private and public organisations are constantly looking at the disruptive benefits of technology and how they can apply this innovation in order to bring change to existing internal and external business processes.

We can now find numerous blockchain use cases that have demonstrated the value of this technology. With many technological advancements we need proper governance and design to manage risk. Risks need to be managed in order to realise the full potential of any implementation.

Q: Which sectors and applications are most likely to benefit from this platform?

A: Versatility and the diverse application of blockchain mean we have seen benefits across numerous sectors and industries, with financial services and government receiving significant focus. The supply chain lends itself well to this technology. There was a recent use case in the farming sector, where from ‘farm to table’ the blockchain was able to cut out 20 of the steps it takes for a farmer to get paid. It reduced the process to three steps, with no delays in settling invoices.

The blockchain cuts out middlemen in complex processes and transactions and the reach of benefits can be significant. For example, the two billion people in the world with no bank account could get banking access through blockchain technology as it offers fewer barriers to entry. Quick and efficient onboarding of new banking customers and their access to financial services would completely disrupt traditional banking onboarding methods.

Blockchain can verify banking identity much more quickly and easily than in the branch of a bank. Once an identity or person has been verified, any organisation can access that identity to save the duplication of time and e ort of ID checks. Once an ID check is done everyone can use that as definitive confirmation.

Blockchain can give traditional areas of financial services greater efficiency and cost savings in existing operational processes. This can also span central banks and capital markets as well as the plethora of products and services wrapped around these organisations.

Q: How is the market addressing issues of standardisation?

A: Market forces traditionally allow innovators to create products and foster innovation. But based on past experience this is not always the best course of action due to the potential of technology lock-in. This in turn could make it difficult to migrate platforms in the future. I foresaw the potential challenges of this approach back in 2016 and proposed that the ISO create a Blockchain ISO Standard that will allow for interoperability, governance and security internationally in order to de ne a common model through a standard that will support organisations and allow them to benefit from future blockchain technologies.

35 countries and many organisations, including the European Commission, are involved in the Blockchain ISO Standard, which will take two to three years to create. A number of work streams are running which each address a different part of the standard, including: terminology; reference architecture, taxonomy and ontology; security and privacy; identity; smart contract; governance; and interoperability.

The ISO standard will allow for the wide adoption of blockchain, allowing governments and regulators to endorse it, for organisations to adopt it and for citizens to benefit from it.

Q: What will be the barriers and challenges to growth and adoption?

A: The market is dispersed at the moment, so the challenge will be to herd everyone in the right direction. There are no barriers or parameters currently in place to enforce controlled adoption. In the UK this is being encouraged, including through technology partners in the ISO process. Partners that are part of the standardisation work such as Hyperledger (IBM) and R3 that are building blockchain technology can take progress, updates and thinking around the standard back into their organisations and products. The output will be that people building the technology will deliver solutions that are truly interoperable and compatible with the standard.

Q: What risks should organisations consider when thinking about implementing blockchain technology?

A: Contrary to what the media would have you believe, blockchain is not the panacea for everything. The key is being able to understand the real benefits of the technology, then look at existing business processes or use cases that make good candidates for blockchain. It’s only then through proper governance and risk management that one can

then assess the tangible benefits and outcomes that organisations would like to achieve. Then add some Silicon Valley ‘fail fast’ methodology (try it and if it doesn’t work then park it) to prove use cases and proof of concepts. You would then be in a position to determine if this technology delivers benefits over the long term. Consideration needs to be given to operational, technological and financial benefits before applying common economics – in other words, will this provide a better return?

On a general level, I think the Cyber Security Awards provide the rubber stamp that cyber security is an important issue. Whereas In the pass it’s always been an after-thought; you had to work hard to get someone senior to look at it and now it’s such an important issue. The awards show the amount of recognition that security has these days. I think it’s a good way to promote security across sectors and the industry. We are seeing a lot of real action where security has been evaluated to the board of companies and in government, whereas before it was the IT tool. I think it’s exciting, although to me it’s not a recent thing, I’ve been in security for 20 years and it’s been a long journey to get here.

Since winning, I’ve been getting queries saying how did you get into security? And how did you become a CISO? I wrote a blog to show the journey and the path. It’s hard work but the effort does pay off. It’s not just a personal thing for me. Why I do security is to use the skills and the experience that I have, to help people. That’s what it’s all about for me. I’m doing whatever I can on a physical and digital sense to help people.

What are you most proud of in your career?

It’s really making a difference. I’ve worked on some really interesting projects. It’s a combination of being in the right position and the right organization in order to make a real difference to citizens and to people. I’ve done some cool things and some fun things as well. I did the security for Arsenal stadium for 3 years and I was asked to break into the stadium during a match; that was a fun highlight that I really enjoyed. I got into the stadium. We found a weakness in a system within in the stadium and how it works. That was a highlight. I have made a lot of impact in government, just having that impact to change the way a country operates. I worked in the treasury department and a lot of the changes I made, impacts the whole country to protect them better from threats. There is a lot of recognition that doing security at that government level has that dramatic change in people’s lives. When I was in the Australian government, 2 years ago, I managed to change the privacy laws. I made the case that we need this and it’s needed to protect citizens and give them better rights to privacy. I had a lot of resistance but I kept it up and I got 2 sections in the privacy laws.

I also like mentoring, I really enjoy talking to people and companies that are doing things in security to guide them. Or to help them, help the industry, because they are making things or doing things that will put them on a new path. Helping people or companies to become more effective and better at what they do.

For others looking to follow in your footsteps, what would you recommend?

To be effective in security you have to start at a technical level and understand everything due to the scale of what security covers. If you are a network person or a database person or developer, you are only looking at one thing. Security is across every single thing out there within IT. I think that it is a key thing to understand the building blocks, even better than the subject expects in that area. As a security practitioner, you need to be better than the network guys, better than the database guys, better than the developers, because you have to constantly help them and challenge them to do things better. That’s a good start for a good security practice. You need that technical skill to get the respect. If you are just quoting policy but not putting forward solutions, you lose respect very quickly.

Eventually, you leverage that technical skill. What you do next is get into the business, on the people side. It’s even more important to be people focussed and to have the soft skills. Security is a very complex technical field. It is extremely important to translate something that’s highly complex and highly technical, to something that normal business people and board members can understand. Putting yourself in their shoes. Understanding, what does it mean to them? What are they responsible for? The Head of HR doesn’t care about the security of the internal room booking system but they care if people are safe from the threats that are out there. Do they understand the risk around the way they operate or the way they use social media? So you need to understand the people your accountable to. Get out there and contribute, give back to the community and to the industry. It’s a very special area and skill, don’t just help one organization or one team or company. Go out there and try and help an industry, get involved in external bodies.

Is there anything you would go back and change?

I think it would have been good if we had the focus we now have on security many years ago rather than 2016/2017. It has taken a long time for people to recognise the importance of it and the dependence we have on technology has changed a lot in 10 years. With wireless internet and all the other digital things that have come out, it would have been good if all this happened in 2007. We are only at the beginning, the risk and threats that we are facing is right at the beginning of the chapter of the internet. We are just going into an era of everything being connected. We are going to have autonomous cars, autonomous ships. Our transport is going to be driven by machines and AI. We are connecting everything at home to the internet. TV’s, kettles, fridges, they are already on the internet. We are expanding the reach of people, of organizations and the way we trust each other. We are fundamentally changing how we operate as a society. Security is going to be more important for the next 20 years.

What is it like to work for your current company?

It is great! I was working in the government out in Australia. I was at the beach and I thought, wow, this is a cool opportunity. I joined just under a year ago and VocaLink have been supportive and given me all the things that I needed. Things we have needed to do, have been done and accepted; there hasn’t been much resistance. They are quite open to change the team and the security approach and how we are doing things. I’m constantly in the process of improving and delivering better security. We are part of MasterCard now, so we are taking a similar approach to them. We are trying to shape the thinking to be more global. It’s been good and exciting there’s a lot of new things we can do.

What do you think we will see from the cyber market in the next 12 months?

We need to see an improvement in the security around machine learning and AI. We can leverage machine learning and AI to become more effective security practitioners. What we really need is the foundation of AI to help compliment and increase the security effectiveness of what we already have. I’m seeing a lot of activity in that space and we will see a lot more.

The bad guys are getting even more creative than they used to be. They are taking highly weaponised exports that have been leaked from governments. We are going to see more of the recent WannaCry ransomware happening, which is unfortunate. It is unnecessarily effective, because the vulnerabilities they use, the industry hasn’t found or patched yet, so we have to respond each time.

The final thing is the human impact of these security threats. You are going to start seeing ransomware on your kettle and you can’t turn it on until you pay. Not being able to make tea is annoying but eventually it will be something bigger. Maybe you can’t leave the house because all the digital doors have locked, or you can’t start your car in the morning because someone has taken control of it. It is the human side of security which is not nice to experience. We are going to see something like that, probably in the next 12 months. My previous role was in healthcare and I did see the first incidents of security attacks impacting human life. I fixed some vulnerabilities where, potentially, you could end someone’s life from a security attack, and possibly, no one would know. We have connected pace makers, so the option is there to break into these devices. What we could see is someone being killed from this, and that is really scary. IT systems and networks not working are annoying but they don’t impact life. For IoT, we need to step up our security game. The market is changing but the risks exists already.

The Cyber Security Awards were established in 2014 to reward the best cyber security individuals, teams and companies across the world – with a focus throughout on excellence and innovation.

I consider myself as a technologist with an upbringing in business and a deep background in technology and security. Having over 20 years of industry experience I have worked across Government in Downing St, HM Treasury, Cabinet Office, Ministry of Justice and NSW Health and private sector at CSC, EY, Vocalink and HSBC.

My career has taken me from technology and consulting to healthcare, government and into financial services. Throughout, there has been a consistent theme of wanting to make life better and safer for people, as well as protecting the assets and reputation of any individual company or Government.

For me it really all started with Unix (BSD/OS), being introduced to it at the age of 6, it fascinated me on how it worked. I have a curious mind and to this day need to understand how everything works! I grew up spending hours each night in my parent’s garage breaking computers, putting them together, building networks, running linux and exploring the digital world through modems. Sometimes I would lose track of time staying up until sunrise before I had to then go to school. Thankfully I have very understanding and supportive parents who helped support and nurture this curiosity.

I didn’t study computer science during school and university, I have always been interested in the business side of technology and how it can help business and people. After completing a Bachelor of Business degree with a major in e-business I took an MBA majoring in strategic management, both at the University of Technology, Sydney.

I began my career at an ISP on the helpdesk, working in technology from the ground up. After a year with E&Y Consulting I joined CSC in 2001 as a Senior Security Architect helping build the security practice and then as EMEA Security Architecture and Consulting Manager and Strikeforce Global Practice Lead based in London. In these roles I advised corporate and government clients on variety of security issues.

In 2007, I re-joined E&Y in London as a Senior Manager where advised a number of Government and commercial clients such as Deutsche Bank, National Grid, Lloyds, The Crown Estate etc and was also responsible for security for Arsenal FC and for 2012 London Olympics.

From there I was seconded to HM Treasury becoming Deputy CTO and CISO with responsibility for all aspects of national security across Whitehall and HMG. After my time there I provided additional CxO support to a number of major corporates and gained a lot of experience in M&A, followed on by roles in HMG at the Ministry of Justice.

There has always been a strong public service component and accountability both to my career and to my motivation and I think this has reached its apex working in or with Government. In 2014 as the CISO of NSW Health and CIO of NSW Ambulance, where, by applying the technical rigour I have developed in other roles, I identified and addressed unique clinical weaknesses in healthcare processes and technologies. This was really impactful as the lack of security in healthcare can result in loss of life. This was the first time I was seeing the real world transition of risk from the digital world to the physical. I’m proud to say some of my work while at Health on privacy has now been written into law to help protect citizens.

Alongside the roles outlined above I have also founded and run of a number of security-related enterprises in Australia, the US and UK, and have played a pioneering role in the understanding and evolution of new technologies and security. Which leads me to Blockchain. I foresaw the importance of the technology in 2009, introducing it to Government while at HM Treasury to determine the impact to the UK. I continued working on its potential and drove the initiative to develop a Blockchain ISO Standard which was approved in October 2016 as TC307, where we have 35 countries and organisations working on it. I am currently the chair of ISO National Committee on Blockchain for the UK.

Another area I am heavily focused on is Artificial Intelligence, I truly see the potential of the technology to not replace what people do, but complement and augment our capability to enhance our output. The areas of machine learning especially deep learning and quantum algorithms really fascinate me and how to apply them to real world use cases.

I am really excited about the next stage of technology evolution, the convergence of AI, Blockchain and Cybersecurity. The next 5 years will really make a dramatic impact to the world! More on that in upcoming posts.

I would like to share that I’ve been elected Chair of the UK’s national committee on Blockchain and Distributed Ledger Technology – DLT/1 supported by the BSI, the UK’s standards body.

BSI will form this committee that represents the “UK voice” into what is needed and to feed into international standards in development in the new ISO committee. Committee should represent all the relevant stakeholders (academia, government, trade associations, SMEs, etc).

It’s been quite a start for 2017, moving back to London in July after 2.5 years in Australia. While in Australia, in April 2016 I authored the following proposal to create an ISO Standard for Blockchain with the help of Standards Australia .

The vote took place at ISO in October with the following countries endorsing the proposal and Australia being appointed the Secretariat of the technical committed (TC307). Each country will form its own national committee and send representatives to the ISO Technical Committee (TC307).

His career lead him to also give back to the community by teaching at Towson University as an Adjunct Associate Professor.

He also helped shape the Cloud Security Alliance being part of the leadership team and the co chair of the CSA governance, risk, and compliance (GRC) stack initiative and the CloudTrust Protocol (CTP) initiative.

On a personal note, Ron was my mentor. Every career move, idea and big decision, I ran by him. He always had the best advice and it was comforting to be able to entrust your thoughts with someone with so much experience, wisdom and knowledge.

Working with him in the US, UK and virtually for many years on a number of different projects I got to know him quite well. He was a truly wonderful person.